exploiut-db:
' O* R8 n9 Z/ p6 H' {8 Q# |. F: v3 g4 Q
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
6 p ?5 C. O/ R+ ~% B, g2 `% [8 i3 E# q7 x7 E' S7 c8 j O& O
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
+ R: @3 |9 Z( ?5 f$ \2 Z- Credit goes to: Mostafa Azizi, Soroush Dalili+ _: @* [& D k% V6 @& X
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
: f- L: l0 U# v+ f/ U- Description:
- i# S& @1 u3 H8 aThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is/ b: p) k$ |7 F# V' z. ~/ F# ?0 J
dealing with the duplicate files. As a result, it is possible to bypass
- `, g' }" c4 c" y h4 q0 I. q' ythe protection and upload a file with any extension.% b7 {' m3 |, e4 B
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
0 x/ a/ s W4 P- Solution: Please check the provided reference or the vendor website.
3 [" t. R% t1 y, @" L/ V- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7208 m0 V" j! r$ A* d( u0 [( A& Z
"
) t v+ ^. ]3 Y7 Z- [7 yNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
' a% c0 f3 R3 p; M( n( _0 tIn “config.asp”, wherever you have:- ]2 ~+ t$ M8 t& T8 x% w' E
ConfigAllowedExtensions.Add “File”,”Extensions Here”2 P: T6 l7 X! Q! i, o
Change it to:
. k. b1 n" `, g* g6 R$ V' G ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
( M0 X& u# @) s" e! [1 E- k% Q, O* R& h/ p9 W, t9 I, Z& m
+ g0 T) G- M9 L& C- r$ ? Z. H
2 w! b' |0 I7 X; R
/ o/ g3 g/ ?4 W7 |/ E
% s+ P, i- ]9 c9 [# S8 v; t3 jphp测试无效) l# q! u0 C# B9 R7 t$ ^
asp/aspx测试成功:
# _1 H+ x4 m2 O y9 y来到/FCKeditor/editor/filemanager/connectors/test.html
0 g7 A3 p# e/ D* v因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
{, ]1 \* t8 k/ p9 E2 f) b
1 N0 z9 |2 ?: `. tburpsuite上传包并修改,repeater
/ p+ u- P7 K" u7 n# x0 M) ^0 q名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
. o4 {, u9 s% S: V6 S
. O' P; q3 O* p* W, J2 M如图,webshell为:http://localhost/userfiles/file/asd(1).asp# a6 D* G/ O& M5 D9 U5 e
) } P5 f; ]. |7 \, A# v
|
发表于 2012-12-10 10:18:50
收藏
支持
反对